Amazon Web Services and Privacy Law

Introduction

Amazon Web Services (AWS) is considered by many to be the gold standard for cloud computing. Using AWS’ services may raise privacy law issues because AWS is providing information storage, management and infrastructure to technology businesses. In many cases, businesses use these capabilities to store “personal information”.

The key question for businesses is whether their use of AWS counts as a ‘disclosure’ of personal information under privacy law for a benefit, service or advantage. We will assume that using AWS for business purposes affords a benefit, service or advantage to businesses. On that basis, disclosure of personal information to AWS would attract the application of the Australian Privacy Principles (APPs). The APPs require measures like privacy policies and privacy consents.

Our research into this question was based on the following services:

Disclosure and Effective Control

The Office of the Australian Information Commissioner (OAIC) is Australia’s regulatory authority for privacy. The OAIC takes the view in the APP Guidelines that contracting with a service provider like AWS, and giving them access to personal information will be disclosure of personal information, except in limited circumstances (para B.138).  There will be a disclosure unless the business retains ‘effective control’ over the information that AWS has access to.

The concept of effective control is not well defined. The APP Guidelines indicate that your contractual arrangements with service providers are the key factor in assessing effective control. According to the APP Guidelines (paragraphs B.137-138), the following factors will be significant, though none of them decides the question by itself:

  • the contract is binding on you and AWS;
  • AWS is only allowed to handle the personal information for the limited purpose of providing its service; and
  • the contract requires subcontractors to agree to the same obligations as AWS.

Other factors which may contribute to effective control are:

  • whether your business retains the right or power to access, change or retrieve the information (and for what purposes);
  • who else can access it and for what purposes; and
  • whether you can retrieve or permanently delete the information from the AWS database when the term of your contract with them is over.

AWS and Effective Control

Do the services provided by AWS, and the contracts under which they are provided, leave you with ‘effective control’ over data that you store and manage on their systems? The answer is not clear cut.

On the one hand, AWS claims that their clients retain effective control over data stored on AWS systems. In its white paper, ‘Using AWS in the context of Australian Privacy Considerations’, AWS says, for example (at p 7):

    Customers using AWS maintain and do not release effective control over their content. Customers control their content from the time of creation.

They go on to specify features of this control, such as control over format, encryption, storage location and security. They also emphasise their own lack of control and access (at p 7):

    AWS only uses each customer’s content to provide the AWS services selected by each customer to that customer and does not use customer content for any secondary purposes. AWS treats all customer content the same and has no insight as to what type of content the customer chooses to store in AWS. AWS simply makes available the compute, storage, database and networking services selected by customer – AWS does not require access to customer content to provide its services.

Further, AWS also does not have a privacy policy compliant with Australian law. AWS would only need a privacy policy if they collected personal information. In other words, they do not seem to consider that effective control over personally identifiable information is passing to them. If AWS is right, businesses do not generally disclose personal information simply by using AWS to store personal information.

On the other hand, certain AWS contract terms, policies and practices arguably contradict this view. In AWS’s service terms, AWS reserves the right to review, test, and require customers to modify, content to ensure compliance with their standards (see clause 1.4, 3.1, 6.5). The exercise of this right is in AWS’ sole discretion. In their acceptable use policy, they reserve the right to monitor, access, remove or modify content that violates their policy. The fact that a business has no right to influence the process used when AWS reviews and tests content points to a loss of control by the business. The same is true of AWS right to modify content.

These arrangements seem to detract from their customers’ effective control over personal information stored on AWS. On one view, these incursions on customers’ effective controls appear to be within the scope of ‘handling personal information for the limited purpose of providing its service’ (see comments on disclosure and effective control, above). On the other hand, these AWS contractual carve- outs for access are quite broad.

You could therefore take the different view that they do not give a clear picture of the relationship between:

  • the purposes for which AWS gives access;
  • the persons who get such access; and
  • the overall ‘limited purpose’ of providing their services.

On that view, AWS contractual arrangements do not seem to clearly satisfy the APP guidelines for keeping effective control with their customers.

Moreover, the AWS white paper remains ambiguous about whether its customers disclose personal information to it. In its analysis of obligations under the APPs (at p 9-10), AWS repeatedly states that customers must take responsibility for their own privacy compliance in using AWS. Yet ultimately the white paper makes a reserved conclusion about disclosure (p10):

OAIC guidance indicates that information provided to a cloud service provider subject to adequate security and strict user control may be a “use” by the customer and not a “disclosure”. Accordingly, using AWS services to store personal information outside Australia at the choice of the customer may be a “use” not a “disclosure” of customer content.

This language – “may be” not “is” – falls short of a decisive statement that using AWS to store personal information is a ‘use’ rather than a ‘disclosure’ of the information. Ultimately, AWS advises customers to seek legal advice if they are concerned about disclosure or overseas disclosure (p 10). This seems to be a concession from AWS that the status of the service they provide is not completely certain.

Conclusion and takeaway points

  • Generally, tech businesses must comply with the Australian Privacy Principle obligations (such as obtaining privacy consents and having a privacy policy) if they ‘disclose’ personal information for business purposes.
  • Whether there is a disclosure depends on whether the customer releases data stored on AWS infrastructure from its effective control.
  • There are indications that businesses using AWS retrain effective control for most practical purposes.
  • However, the APP Guidelines give weight to contractual arrangements as the key indicators of effective control.
  • In practice, the burden will be on businesses to demonstrate that they retain effective control through contractual arrangements
  • AWS terms and policies arguably leave scope for AWS to interfere with their customers’ effective control.
  • This means there is uncertainty about whether using AWS is a disclosure for privacy law purposes. There are reasonable arguments both for and against this view.
  • Businesses should therefore be cautious about assuming that using AWS is not a disclosure of personal information.
  • Best practice for demonstrating effective control is to put in place all of the binding contractual provisions identified by the APP Guidelines as indicators of effective control.
  • If there is uncertainty about whether contractual arrangements reflect the indicators of effective control in the APP Guidelines, it is prudent to comply with the APPs in so far as they apply to businesses that disclose personal information.
404